Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
Question: 1.
Which addresses below would be valid IP addresses of hosts on the Internet? (Multiple answer)
A. 235.1.1.1
B. 223.20.1.1
C. 10.100.1.1
D. 127.0.0.1
E. 24.15.1.1
Answer: B, E
Explanation:
When you create an internal network, we recommend you use one of the following address
groups reserved by the Network Working Group (RFC 1918) for private network addressing:
Class A: 10.0.0.0 to 10.255.255.255
Class B: 172.16.0.0 to 172.31.255.255
Class C: 192.168.0.0 to 192.168.255.255
Class D address start with the 1110 bit so the 223.20.1.1 is a legal class C address
Question: 2.
On an Ethernet LAN, a jam signal causes a collision to last long enough for all other nodes to
recognize that:
A. A collision has occurred and all nodes should stop sending.
B. Part of a hash algorithm was computed, to determine the random amount of time the nodes
should back off before retransmitting.
C. A signal was generated to help the network administrators isolate the fault domain between
two Ethernet nodes.
D. A faulty transceiver is locked in the transmit state, causing it to violate CSMA/CD rules.
E. A high-rate of collisions was caused by a missing or faulty terminator on a coaxial Ethernet
network.
Answer: A
Explanation:
When a collision is detected the device will "transmit a jam signal" this will will inform all the
devices on the network that there has been a collision and hence stop them initiating the
transmission of new data. This "jam signal" is a sequence of 32 bits that can have any value as
long as it does not equal the CRC value in the damaged frame's FCS field. This jam signal is
normally 32 1's as this only leaves a 1 in 2^32 chance that the CRC is correct by chance.
Because the CRC value is incorrect all devices listening on the network will detect that a collision
has occurred and hence will not create further collisions by transmitting immediately. "Part of a
hash algorithm was computed, to determine the random amount of time the nodes should back
off before retransmitting." WOULD SEEM CORRECT BUT IT IS NOT After transmitting the jam
signal the two nodes involved in the collision use an algorithm called the "truncated BEB
(truncated binary exponential back off)" to determine when they will next retransmit. The
algorithm works as follows: Each device will wait a multiple of 51.2us (minimum time required for
signal to traverse network) before retransmitting. 51.2us is known as a "slot". The device will wait
wait a certain number of these time slots before attempting to retransmit. The number of time
slots is chosen from the set {0,.....,2^k-1} at random where k= number of collisions. This means k
is initialized to 1and hence on the first attempt k will be chosen at random from the set {0,1} then
on the second attempt the set will be {0,1,2,3} and so on. K will stay at the value 10 in the 11, 12,
Page 1 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
13, 14, 15 and 16th attempt but on the 17th attempt the MAC unit stops trying to transmit and
reports an error to the layer above.
Question: 3.
Which statements about TACACS+ are true? (multiple answer)
A. If more than one TCACS+ server is configured and the first one does not respond within a
given timeout period, the next TACACS+ server in the list will be contacted.
B. The TACACS+ server’s connection to the NAS encrypts the entire packet, if a key is used at
both ends.
C. The TACACS+ server must use TCP for its connection to the NAS.
D. The TACACS+ server must use UDP for its connection to the NAS.
E. The TACACS+ server may be configured to use TCP of UDP for its connection to the NAS
Answer: A, B, C
Explanation:
PIXFirewall permits the following TCP literal names: bgp, chargen, cmd,daytime, discard, domain,
echo, exec, finger, ftp, ftp-data, gopher, h323,hostname, http, ident, irc, klogin, kshell, lpd, nntp,
pop2, pop3, pptp,rpc, smtp, sqlnet, sunrpc, TACACS, talk, telnet, time, uucp, whois, and www. To
specify a TACACS host, use the tacacs-server host globalconfiguration command. Use the no
form of this command to delete thespecified name or address. timeout= (Optional) Specify a
timeout value. This overrides the global timeout value set with the tacacs-server timeout
command for this serveronly. tacacs-server key To set the authentication encryption key used for
all TACACS+ communicationsbetween the access server and the TACACS+ daemon, use the
tacacs-server keyglobal configuration command. Use the no form of this command to disable the
key. key = Key used to set authentication and encryption. This key must match the key used on
the TACACS+ daemon.
Question: 4.
A Network Administrator is trying to configure IPSec with a remote system. When a tunnel is
initiated from the remote end, the security associations (SAs) come up without errors. However,
encrypted traffic is never send successfully between the two endpoints. What is a possible
cause?
A. NAT could be running between the two IPSec endpoints.
B. A mismatched transform set between the two IPSec endpoints.
C. There is a NAT overload running between the two IPSec endpoints.
D. Mismatched IPSec proxy between the two IPSec endpoints.
Answer: C
Explanation:
This configuration will not work with port address translation (PAT). Note: NAT is a one-to-one
address translation, not to be confused with PAT, which is a many (inside the firewall)-to-one
translation. IPSec with PAT may not work properly because the outside tunnel endpoint device
cannot handle multiple tunnels from one IP address. You will need to contact your vendor to
determine if the tunnel endpoint devices will work with PAT Question- What is PAT, or NAT
overloading? Answer- PAT, or NAT overloading, is a feature of Cisco IOS NAT and can be used
to translate internal (inside local) private addresses to one or more outside (inside global—usually
registered) IP addresses. Unique source port numbers on each translation are used to distinguish
between the conversations. With NAT overload, a translation table entry containing full address
and source port information is created.
Question: 5.
Page 2 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
Which are the principles of a one way hash function? (Multiple answer)
A. A fixed length output is created from a variable length input by a hash function.
B. A hash function cannot be random and the receiver cannot decode the hash.
C. A hash function is usually operated in an IPSec environment to provide a fingerprint for a
packet.
D. A hash function must be easily decipherable by anyone who is listening to the exchange.
Answer: A, C
Explanation:
Developers use a hash function on their code to compute a diges, which is also known as a one-
way hash .The hash function securely compresses code of arbitrary length into a fixed-length
digest result.
Question: 6.
Exhibit:
What is the expected behavior of IP traffic from the clients attached to the two Ethernet subnets?
A. Traffic between the Ethernet subnets on both routers will have to be decrypted.
B. NAT will translate the traffic between the Ethernet subnets on both routers.
C. Traffic will successfully access the Internet, though it will have to be decrypted between the
router’s Ethernet subnets.
D. Traffic will successfully access the Internet fully encrypted.
E. Traffic bound for the Internet will not be routed because the source IP addresses are private.
Answer: C
Explanation:
NOT ENOUGH OF THE ESHIBIT TO MAKE A REAL CHOICE. THE ESHIBIT IS ONE OF
IPSEC TAKE YOUR BEST SHOT.
Question: 7.
A ping of death is when:
Page 3 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
A. An IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the
“type”field in the ICMP header is set to 18 (Address Mask Reply).
B. An IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP), the Last
Fragment bit is set, and (IP offset ‘ 8) + (IP data length) >65535. In other words, the IP offset
(which represents the starting position of this fragment in the original packet, and which is in 8-
byte units) plus the rest of the packet is greater than the maximum size for an IP packet.
C. An IP datagram is received with the “protocol” field in the IP header set to 1 (ICMP) and the
source equal to destination address.
D. The IP header is set to 1 (ICMP) and the “type” field in the ICMP header is set to 5 (Redirect).
Answer: B
Explanation:
"A hacker can send an IP packet to a vulnerable machine such that the last fragment contains an
offest where (IP offset *8) + (IP data length)>65535. This means that when the packet is
reassembled, its total length is larger than the legal limit, causing buffer overruns in the machine's
OS (becouse the buffer sizes are defined only to accomodate the maximum allowed size of the
packet based on RFC 791)...IDS can generally recongize such attacks by looking for packet
fragments that have the IP header's protocol field set to 1 (ICMP), the last bit set, and (IP offset
*8) +(IP data length)>65535" CCIE Professional Development Network Security Principles and
Practices by Saadat Malik pg 414 "Ping of Death" attacks cause systems to react in an
unpredictable fashion when receiving oversized IP packets. TCP/IP allows for a maximum packet
size of up to 65536 octets (1 octet = 8 bits of data), containing a minimum of 20 octets of IP
header information and zero or more octets of optional information, with the rest of the packet
being data. Ping of Death attacks can cause crashing, freezing, and rebooting.
Question: 8.
Why would a Network Administrator want to use Certificate Revocation Lists (CRLs) in their
IPSec implementations?
A. They allow the ability to do “on the fly” authentication of revoked certificates.
B. They help to keep a record of valid certificates that have been issued in their network.
C. They allow them to deny devices with certain certificates from being authenticated to their
network.
D. Wildcard keys are much more efficient and secure. CRLs should only be used as a last resort.
Answer: C
Explanation:
A method of certificate revocation. A CRL is a time-stamped list identifying revoked certificates,
which is signed by a CA and made available to the participating IPSec peers on a regular periodic
basis (for example, hourly, daily, or weekly). Each revoked certificate is identified in a CRL by its
certificate serial number. When a participating peer device uses a certificate, that system not only
checks the certificate signature and validity but also acquires a most recently issued CRL and
checks that the certificate serial number is not on that CRL.
Question: 9.
A SYN flood attack is when:
A. A target machine is flooded with TCP connection requests with randomized source address &
ports for the TCP ports.
B. A target machine is sent a TCP SYN packet (a connection initiation), giving the target host’s
address as both source and destination, and is using the same port on the target host as both
source and destination.
Page 4 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
C. A TCP packet is received with the FIN bit set but with no ACK bit set in the flags field.
D. A TCP packet is received with both the SYN and the FIN bits set in the flags field.
Answer: A
Explanation:
To a server that requires an exchange of a sequence of messages. The client system begins by
sending a SYN message to the server. The server then acknowledges the SYN message by
sending a SYNACK message to the client. The client then finishes establishing the connection by
responding with an ACK message and then data can be exchanged. At the point where the
server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received
the ACK message, there is a half-open connection.
A data structure describing all pending connections is in memory of the server that can be made
to overflow by intentionally creating too many partially open connections. Another common attack
is the SYN flood, in which a target machine is flooded with TCP connection requests. The source
addresses and source TCP ports of the connection request packets are randomized; the purpose
is to force the target host to maintain state information for many connections that will never be
completed. SYN flood attacks are usually noticed because the target host (frequently an HTTP or
SMTP server) becomes extremely slow, crashes, or hangs. It's also possible for the traffic
returned from the target host to cause trouble on routers; because this return traffic goes to the
randomized source addresses of the original packets, it lacks the locality properties of "real" IP
traffic, and may overflow route caches. On Cisco routers, this problem often manifests itself in the
router running out of memory.
Question: 10.
What kind of interface is not available on the Cisco Secure Intrusion Detection System sensor?
A. Ethernet
B. Serial
C. Token Ring
D. FDDI
Answer: B
Explanation:
Sensors are optimized for specific data rates and are packaged in Ethernet, Fast Ethernet
(100BaseT), Token Ring, and FDDI configurations
Question: 11.
Exhibit:
Page 5 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
Given the configuration shown, what is the expected behavior of IP traffic travelling from the
attached clients to the two Ethernet subnets? (Multiple answer)
A. Traffic bound for the Internet will be translated by NAT and will be decrypted.
B. Traffic bound for the Internet will be unrouted due to private source IP addresses.
C. Traffic will not successfully access the Internet or the subnets of the remote router’s Ethernet
interface.
D. Traffic between the Ethernet subnets on both routers will be encrypted.
E. Traffic will be translated by NAT between the Ethernet subnets on both routers.
Answer: D
Question: 12.
How is data between a router and a TACACS+ server encrypted?
A. CHAP Challenge responses
B. DES encryption, if defined
C. MD5 has using secret matching keys
D. PGP with public keys
Answer: C
Explanation:
"The hash used in TACACS+ is MD5" CCIE Professional Development Network Security
Principles and Practices by Saadat Malik pg 497
Question: 13.
A gratuitous ARP is used to: (Multiple answer)
A. Refresh other devices’ ARP caches after reboot.
B. Look for duplicate IP addresses.
C. Refresh the originating server’s cache every 20 minutes.
D. Identify stations without MAC addresses.
Page 6 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
E. Prevent proxy ARP from becoming promiscuous.
Answer: A, B
Explanation:
NOT SURE ABOUT THIS QUESTION - Refresh the originating server’s cache every 20 minutes.
could be an swer but the test wants only 2 Gratuitous ARP [23] is an ARP packet sent by a node
in order to spontaneously cause other nodes to update an entry in their ARP cache. A gratuitous
ARP MAY use either an ARP Request or an ARP Reply packet. In either case, the ARP Sender
Protocol Address and ARP Target Protocol Address are both set to the IP address of the cache
entry to be updated, and the ARP Sender Hardware Address is set to the link-layer address to
which this cache entry should be updated. When using an ARP Reply packet, the Target
Hardware Address is also set to the link-layer address to which this cache entry should be
updated (this field is not used in an ARP Request packet).
Most hosts on a network will send out a Gratuitous ARP when they are initialising their IP stack.
This Gratuitous ARP is an ARP request for their own IP address and is used to check for a
duplicate IP address. If there is a duplicate address then the stack does not complete
initialisation.
Question: 14.
What functionality best defines the use of a ‘stub’ area within an OSPF environment?
A. A stub area appears only on remote areas to provide connectivity to the OSPF backbone.
B. A stub area is used to inject the default route for OSPF.
C. A stub area uses the no-summary keyword to explicitly block external routes, defines the non-
transit area, and uses the default route to reach external networks.
D. A stub area is used to reach networks external to the sub area.
Answer: C
Explanation:
These areas do not accept routes belonging to external autonomous systems (AS); however,
these areas have inter-area and intra-area routes. In order to reach the outside networks, the
routers in the stub area use a default route which is injected into the area by the Area Border
Router (ABR). A stub area is typically configured in situations where the branch office need not
know about all the routes to every other office, instead it could use a default route to the central
office and get to other places from there.
Hence the memory requirements of the leaf node routers is reduced, and so is the size of the
OSPF database.
Question: 15.
What is the best explanation for the command aaa authentication ppp default if-needed tacacs+?
A. If authentication has been enabled on an interface, use TACACS+ to perform authentication.
B. If the user requests authentication, use TACACS+ to perform authentication.
C. If the user has already been authenticated by some other method, do not run PPP
authentication.
D. If the user is not configured to run PPP authentication, do not run PPP authentication.
E. If the user knows the enable password, do not run PPP authentication.
Answer: C
Explanation:
Page 7 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
The if-needed option tells the router to perform the specified authentication only if the user has
not been authenticated by another method.
Question: 16.
To restrict SNMP access to a router, what configuration command could be used?
A. snmp-server community
B. snmp-server public
C. snmp-server password
D. snmp-server host
Answer: A
Explanation:
Configure the community string (Optional) For access-list-number, enter an IP standard access
list numbered from 1 to 99 and 1300 to 1999.
Question: 17.
TFTP security is controlled by: (Multiple answer)
A. A default TFTP directory.
B. A username/password.
C. A TFTP file.
D. A pre-existing file on the server before it will accept a put.
E. File privileges.
Answer: A, D, E
Explanation:
Username/password- is for FTP a default TFTP directory - one has to be in your tftp server and
the location listed in the tftp command In uploading code you need to have a file but some
programs like solarwinds will download the running config via tftp and make the file
Question: 18.
Which statements are true about RIP v1? (Multiple answer)
A. RIP v1 is a classful routing protocol.
B. RIP v1 does not carry subnet information in its routing updates.
C. RIP v1 does not support Variable Length Subnet Masks (VLSM).
D. RIP v1 can support discontiguous networks.
Answer: A, B, C
Explanation:
RIP and IGRP are classful protocols
Why Doesn't RIP or IGRP Support Discontiguous Networks?
Question: 19.
In the IOS Firewall Feature Set, what kind of traffic is NOT subject to inspection?
A. FTP
B. TFTP
C. ICMP
D. SMTP
Page 8 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
Answer: C
Explanation:
CBAC-Supported applications (Deployable on a modular basis):
Question: 20.
Exhibit:
S* 0.0.0.0/0 [1/0] via 172.31.116.65
D 172.16.0.0/24 [90/48609] via 10.1.1.1
R 172.16.0.0/16 [120/4] via 192.168.1.4
A router has the above routers listed in its routing table and receives a packet destined for
172.16.0.45. What will happen?
A. The router will not forward this packet, since it is destined for the 0 subnet.
B. The router will forward the packet though 172.31.116.65, since it has the lowest metric.
C. The router will forward the packet through 10.1.1.1.
D. The router will forward the packet through 172.31.116.65, since it has the lowest administrative
distance.
E. The router will forward the packet through 192.168.1.4.
Answer: C
Explanation:
D= EIGRP and the lowest metric of the routing protocols
R= Rip AD of 120 S* default route The 0.0.0.0 is a default route for packets that dont match the
other routes is to be forworded to 172.31.116.65
Question: 21.
In the Cisco Secure Intrusion Detection System/HP OpenView interface, a “yellow” sensor icon
would mean:
A. A “yellow” sensor icon means that a sensor daemon had logged a level 4 or 5 alarm.
B. A “yellow” sensor icon means that the director that the sensor reports to is operating in
degraded mode.
C. A “yellow” sensor icon means that a sensor daemon had logged a level 3 alarm.
D. A “yellow” sensor icon means that the device that the sensor detected being attacked is
inoperative due to the attack.
Answer: C
Explanation:
Alarm level 3 and 4 are medium. Medium severity is displayed in yellow, then icon medium
severity is a yellow flag. by defualt events at level 1 and 2 are low, events at level 3 and 4 are
medium, level 5 and higher are high. Cisco Secure intrusion detection system by Earl Carter p.
148, 213, 214
Question: 22.
Symptoms:
- Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
- Console logging: level warning, 0 messages logged
- Monitor logging: level informational, 0 messages logged
- Buffer logging: level informational, 0 message lines logged
Page 9 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
Note:
Router 1’s CPU is normally above 25% busy switching packets
Scenario:
Host A cannot reach the FTP Server, but can reach Host B. The network administrator suspects
that packets are travelling from network 10.1.5.0 to the FTP Server, but packets are not returning.
The administrator logs into the console port of Router 1. When Host A sends a ping to the FTP
Server, the administrator executes a “debug ip packet” command on the router.
Exhibit:
The administrator does not see any output. What additional commands could be used to see the
packets flowing from Ethernet 0 to Ethernet 1?
A. terminal monitor
B. configure terminal
logging console debug
C. configure terminal
no logging buffered
D. configure terminal
logging console debug
interface ethernet1
no ip route-cache
E. configure terminal
interface ethernet0
no ip route-cache
Answer: D
Question: 23.
What is the first thing that must be done to implement network security at a specific site?
A. Hire a qualified consultant to install a firewall and configure your router to limit access to known
traffic.
B. Run software to identify flaws in your network perimeter.
C. Purchase and install a firewall to protect your network.
D. Install access-control lists in your perimeter routers, so you can ensure that only known traffic
is getting through your router.
E. Design a security policy.
Answer: E
Explanation:
A Network security policy defines a framework to protect the assets connected to a network
based on a risk assessment analysis. A network security policy defines the access limitations and
Page 10 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
rules for accessing various assets connected to a network. It is the source of information for users
and administrators as they set up, use, and audit the network. CCIE Professional Development
Network Security Principles and Practices by Saadat Malik pg 8
Question: 24.
What would be the best reason for selecting L2TP as a tunnel protocol for a VPN Client?
A. L2TP uses TCP as a lower level protocol so the transmissions are connected oriented,
resulting in more reliable delivery.
B. L2TP uses PPP so address allocation and authentication is built into the protocol instead of
relying on IPSec extended functions, like mode config and a-auth.
C. L2TP does not allow the use of wildcard pre-shared keys, which is not as secure as some
other methods.
D. L2TP has less overhead than GRE.
Answer: B
Explanation:
L2TP uses UDP which is connectionless protocol CCIE Professional Development Network
Security Principles and Practices by Saadat Malik pg 243 L2TP, which stands for Layer 2
Tunneling Protocol, is an IETF standard emerging that combines Layer 2 Forwarding protocol
(L2F) and Point-to-PointTunneling protocol (PPTP). L2TP has all the security benefits of PPP,
including multiple per user authentication options (CHAP, PAP, and MS-CHAP). It also can
authenticate the tunnel end points, which prevents potential intruders from building a tunnel and
accessing precious corporate data. To ensure further data confidentiality, Cisco recommends
adding IPSec to any L2TP implementation. Depending on the corporation's specific network
security requirements, L2TP can be used in conjunction with tunnel encryption, end-to-end data
encryption, or end-to-end application encryption. L2TP header: 16 bytes maximum (in case all
options are used, RFC 2661) 24 (bit) for the GRE overhead
Question: 25.
In the IOS Firewall Feature Set, which network layers are examined by CBAC to make filtering
decisions? (Multiple answer)
A. Transport
B. Application
C. Network
D. Presentation
E. Data Link
Answer: A, B, C
Explanation:
CBAC intelligently filters TCP and UDP packets based on application-layer protocol session
information and can be used for intranets, extranets and the Internet. You can configure CBAC to
permit specified TCP and UDP traffic through a firewall only when the connection is initiated from
within the network you want to protect. (In other words, CBAC can inspect traffic for sessions that
originate from the external network.) However, CBAC examines not only network layer and
transport layer information but also examines the application-layer protocol information
(Such as FTP connection information) to learn about the state of the TCP or UDP session.
Question: 26.
In BGP, why should a Route Reflector be used?
A. To overcome issues of split-horizon within BGP.
Page 11 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
B. To reduce the number of External BGP peers by allowing updates to reflect without the need to
be fully meshed.
C. To allow the router to reflect updates from one Internal BGP speaker to another without the
need to be fully meshed.
D. To divide Autonomous Systems into mini-Autonomous Systems, allowing the reduction in the
number of peers.
E. None of the above.
Answer: C
Explanation:
"Route reflectors are useful when an AS contains a large number of IBGP peers. Unless EBGP
routes are redistributed into the autonomous systems' IGP, all IBGP peers must be fully meshed.
Route reflectors offer an alternative to fully meshed IBGP peers." CCIE Professional
Development Routing TCP/IP Volume II by Jeff Doyle and Jennifer Dehaven Carroll.
Question: 27.
A router sends an ICMP packet, with the Type 3 (host unreachable) and Code 4 (DF bit set) flags
set, back to the originating host. What is the expected action of the host?
A. The host should reduce the size of future packets it may send to the router.
B. This scenario cannot occur, since the packet will be fragmented and sent to the original
destination.
C. The sending station will stop sending packets, because the router is not expecting to see the
DF bit in the incoming packet.
D. The sending station will clear the DF bit and resend the packet.
E. If the router has an Ethernet interface, this cannot occur because the MTU is fixed at 1500
bytes. Any other interface may legally generate this packet.
Answer: A
Explanation:
There must have been a reson the host set the DF flag to begin with. A router tries to forward an
IP datagram, with the DF bit set, onto a link that has a lower MTUthan the size of the packet, the
router will drop the packet and return an Internet ControlMessage Protocol (ICMP) "Destination
Unreachable" message to the source of this IP datagram, withthe code indicating "fragmentation
needed and DF set" (type 3, code 4). When the source stationreceives the ICMP message, it will
lower the send MSS, and when TCP retransmits the segment, itwill use the smaller segment size.
Question: 28.
In the realm of email security, “message repudiation” refers to what concept?
A. A user can validate which mail server or servers a message was passed through.
B. A user can claim damages for a mail message that damaged their reputation.
C. A recipient can be sure that a message was sent from a particular person.
D. A recipient can be sure that a message was sent from a certain host.
E. A sender can claim they did not actually send a particular message.
Answer: E
Explanation:
A quality that prevents a third party from being able to prove that a communication between two
other parties ever took place. This is a desirable quality if you do not want your communications
to be traceable. Non-repudiation is the opposite quality—a third party can prove that a
communication between two other parties took place. Non-repudiation is desirable if you want to
Page 12 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
be able to trace your communications and prove that they occurred. Repudiation – Denial of
message submission or delivery.
Question: 29.
A RARP is sent:
A. To map a hostname to an IP address.
B. To map an IP address to a hostname.
C. To map an MAC address to an IP address.
D. To map a MAC address to a hostname.
E. To map and IP address to a MAC address.
Answer: C
Explanation:
RARP is used to translate hardware interface addresses to protocol addresses
Question: 30.
Exhibit:
aaa authentication login default local tacacs
aaa authorization exec default tacacs
aaa authentication login vty tacacs local
aaa authorization exec vty tacacs if-authenticated
username abc password xuz
line vty 0 4
exec-timeout 0 0
If a router running IOS 11.3 is configured as shown in the TACACS server is down, what will
happen when someone Telnets into the router?
A. Using the local username, the user will pass authentication but fail authorization.
B. The user will be bale to gain access using the local username and password, since list vty will
be checked.
C. Using the local username, the user will bypass authentication and authorization since the
server is down.
D. The user will receive a message saying “The TACACS+ server is down, please try again later”.
Answer: B
Explanation:
aaa authentication login vty tacacs local aaa authorization exec vty tacacs if-authenticated
This lines in the config mean that the vty lines are to use tacacs first but the timeout expires and
authentication then goes to the local database If-authenticated states that if authenticated before
do not authenticate again.
Question: 31.
When an IPSec authentication header (AH) is used in conjunction with NAT on the same IPSec
endpoint, what is the expected result?
A. NAT has no impact on the authentication header.
B. IPSec communicates will fail because the AH creates a hash on the entire IP packet before
NAT.
C. AH is only used in IKE negotiation, so only IKE will fail.
D. AH is no a factor when used in conjunction with NAT, unless Triple DES is included in the
transform set.
Page 13 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
Answer: B
Explanation:
AH runs the entire IP packet, including invariant header fields such as source and destination IP
address, through a message digest algorithm to produce a keyed hash. This hash is used by the
recipient to authenticate the packet. If any field in the original IP packet is modified, authentication
will fail and the recipient will discard the packet. AH is intended to prevent unauthorized
modification, source spoofing, and man-in-the-middle attacks. But NAT, by definition, modifies IP
packets. Therefore, AH + NAT simply cannot work.
Question: 32.
Which of the following statements regarding Routing Information Protocol (RIP) is valid?
A. RIP runs on TCP port 520.
B. RIP runs directly on top of IP with the protocol ID 89.
C. RIP runs on UDP port 520.
D. RIP does not run on top of IP.
Answer: C
Question: 33.
A security System Administrator is reviewing the network system log files. The administrator
notes that:
- Network log files are at 5 MB at 12:00 noon.
- At 14:00 hours, the log files at 3 MB.
What should the System Administrator assume has happened and what should they do?
A. Immediately contact the attacker’s ISP and have the connection disconnected, because an
attack has taken place.
B. Log the file size, and archive the information, because the router crashed.
C. Run a file system check, because the Syslog server has a self correcting file system problem.
D. Disconnect from the Internet discontinue any further unauthorized use, because an attack has
taken place.
E. Log the event as suspicious activity, continue to investigate, and take further steps according
to site security policy.
Answer: E
Explanation:
This question os much like one from vconsole (see reference)"You should never assume a host
has been compromised without verification. Typically, disconnecting a server is an extreme
measure and should only be done when it is confirmed there is a compromise or the server
contains such sensitive data that the loss of service outweighs the risk. Never assume that any
administrator or automatic process is making changes to a system. Always investigate the root
cause of the change on the system and follow your organizations security policy." Cisco Certified
Internetwork Expert Security Exam V1.7/Vconsole update questions by John Kaberna See
ccbootcamp.com
Question: 34.
When using PKI, what is true about Certificate Revocation List (CRL):
A. The CRL is used to check presented certificates to determine if they are revoked.
B. A router or PIX will not require that the other end of the IPSec tunnel have a certificate if the crl
optional command is in place.
Page 14 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
C. The router’s CRL includes a list of clients that have presented invalid certificates to the router
in the past.
D. It resides on the CA server and is built by querying the router or PIX to determine which clients
have presented invalid certificates in the past.
Answer: A
Explanation:
A router or PIX will not require that the other end of the IPSec tunnel have a certificate if the crl
optional command is in place --THIS SEEMS A RESONABLE ANSWER BUT HERE IS WHY I
DISCOUNT IT--"will not require that the other end of the IPSec tunnel have a certificate" -- The
PIX allows the Certificate even if the CA DOES NOT RESPOND. I have not seen it stated that it
will allow NO certificate. To allow other peers' certificates to still be accepted by your router even
if the appropriate Certificate Revocation List (CRL) is not accessible to your router, use the crl
optional configuration command. If the PIX Firewall does not receive a certificate from the CA
within 1 minute (default) of sending a certificate request, it will resend the certificate request. The
PIX Firewall will continue sending a certificate request every 1 minute until a certificate is
received or until 20 requests have been sent. With the keyword crloptional included within the
command statement, other peer's certificates can still be accepted by your PIX Firewall even if
the CRL is not accessible to your PIX Firewall.
Question: 35.
A remote user tries to login to a secure network using Telnet, but accidentally types in an invalid
username or password. Which response would NOT be preferred by an experienced Security
Manager? (Multiple answer)
A. Invalid Username
B. Invalid Password
C. Authentication Failure
D. Logon Attempt Failed
E. Access Denied
Answer: A, B
Explanation:
As little information as possible should be given about a failed login attempt. Invalid username or
password is not desirable.
Question: 36.
Some packet filtering implementations block Java by finding the magic number 0xCAFEBABE at
the beginning of documents returned via HTTP.How can this Java filter be circumvented?
A. By using Java applets in zipped or tarred archives.
B. By using FTP to download using a web browser.
C. By using Gopher.
D. By using non-standard ports to enable HTTP downloads.
E. All of the above.
Answer: E
Explanation:
NOT SURE ABOUT THIS ANSWER BUT THE NON-STANDARD PORT AND ZIPPED/TARRED
ANSWERS ARE CORRECT. Java blocking can be configured to filter or completely deny access
to Java applets that are not embedded in an archive or compressed file. Java applets may be
downloaded when you permit access to port 80 (http) (so the non-standard port answer seems
Page 15 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
logical) Cisco secure PIX firewall Advanced 2.0 9-16 Applets that are transmitted as embedded
archives are not recognized and therefore cannot be blocked. CCIE Proffessional Development
Network Security Principles and Practices by Saadat Malik pg 203 also see Cisco Certified
Internetwork Expert Security Exam v1.7 by John Kaberna pg 404
Question: 37.
What is the term used to describe an attack that falsifies a broadcast ICMP echo request and
includes a primary and secondary victim?
A. Fraggle Attack
B. Man in the Middle Attack
C. Trojan Horse Attack
D. Smurf Attack
E. Back Orifice Attack
Answer: D
Explanation:
Trojan and Back orifice are Trojan horse attacks. Man in the middle spoofs the Ip and redirects
the victems packets to the cracker The infamous Smurf attack. preys on ICMP's capability to
send traffic to the broadcast address. Many hosts can listen and respond to a single ICMP echo
request sent to a broadcast address.
Network Intrusion Detection third Edition by Stephen Northcutt and Judy Novak pg 70 The
"smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion as
the ICMP echo packets; it was a simple re-write of "smurf".
Question: 38.
User_A and User_B are logged into Windows NT Workstation Host_A and Host_B respectively.
All users are logged in to the domain”CORP”.
All users run a logon script with the following line: “net useD:CORPSVRdata”
- User_A and User_B are both members of the local group “USERS”.
- Local group “USERS” is includes in global group “DOMAIN USERS”.
- All users, hosts, and groups are in the domain “CORP”.
- The directory CORPSVRdata has the share permission for local group “USERS” set to “No
Access”.
- The Microsoft Word document CORPSVRdataword.doc has file permissions for local group
“USERS” set to “Full Control”.
- The Microsoft Word document CORPSVRdataword.doc is owned by User_B.
Given this scenario on a Windows NT 4.0 network, what is the expected behavior when User_A
attempts to edit D:word.doc?
A. Local groups cannot be placed into global groups.
The situation could not exist.
B. There is not enough information.
Permissions on Microsoft Word are set within the application and are not subject to file and
share level permissions.
C. Access would be denied.
Only the owner of a file can edit a document.
D. Access would be denied. “No access” overrides all other permissions unless the file is owned
by the user.
E. User_A has full control and can edit the document successfully.
Answer: A
Page 16 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
Explanation:
Based on the name of each group, you might think that you'd add local groups to global groups.
This isn't the case. You assign users or global groups to local groups to give access to local
resources
Question: 39.
Which of the following is an invalid Cisco Secure Intrusion Detection System function?
A. Cisco Secure Intrusion Detection System sets off an alarm when certain user-configurable
strings are matched.
B. Cisco Secure Intrusion Detection System sends e-mail messages at particular alarm levels via
eventd.
C. Cisco Secure Intrusion Detection System performs a traceroute to the intruding system.
D. Cisco Secure Intrusion Detection System sends a TCP reset to the intruder when operating in
packet sniffing mode.
Answer: C
Explanation:
Traceroute is not done.
Question: 40.
Kerberos is mainly used in:
A. Session-layer protocols, for data integrity and checksum verification.
B. Presentation-layer protocols, as the implicit authentication system for data stream or RPC.
C. Transport and Network-layer protocols, for host to host security in IP, UDP, or TCP.
D. Datalink-layer protocols, for cryptography between bridges and routers.
E. Application-layer protocols, like Telnet and FTP.
Answer: E
Explanation:
Type Application layer protocol. Ports: 88 (UDP) 464 (TCP, UDP) change/set password.
Question: 41.
Why would you advice the new Company trainee technician NOT to use NFS protocol for use
across a firewall or a security domain?
A. The security of the protocol is not stringent because File permissions can easily be modified in
the requests.
B. Industry technicians do not understand NFS well, but is actually appropriate to run across
various security domains.
C. NFS is not secure because it does not have the concept of users and permissions.
D. It is UDP based which makes its state difficult to track.
E. This protocol uses a range of ports, and firewalls have difficulty opening the proper entry points
to allow traffic.
Answer: D
Explanation: NOT SURE ABOUT THIS ONE Another use of RPC is with the following command
to see the exports of 204.31.17.25 if you want to allow NFS mounting from outside in. Note RPC
is a very nonsecure protocol and should be used with caution. Type Application layer file transfer
protocol. Port 2049 (TCP, UDP).
Page 17 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
Question: 42.
Exhibit:
In order to allow IPSec to handle multiple peers from Router A, which crypto map and access list
commands should be used?
A. crypto map foo 10 ipsec-isakmp
set peer B
match address 101
set trans bar
crypto map foo 20
ipsec-isakmp
set peer C
match address 102
set trans bar access-list 101 permit ip 20.1.1.0
0.0.255 30.1.1.0 0.0.0.255
access-list 102 permit ip 20.1.1.0 0.0.255 40.1.1.0 0.0.0.255
B.crypto map foo 10 ipsec-isakmp set peer B set peer C match address 101 set trans bar
access-list 101 permit ip 20.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255 access-list 101 permit ip
20.1.1.0
0.0.0.255 40.1.1.0 0.0.0.255
C. crypto map foo 10 ipsec-isakmp
set peer B
match address 101
set trans bar crypto map foo 20
ipsect-isakmp set per C match address 101 set trans bar access-list 101 permit ip 20.1.1.0
0.0.0.255 30.1.1.0 0.0.0.255 access-list 101 permit ip 20.1.1.0 0.0.0.255 40.1.1.0 0.0.0.255
D. crypto map foo 10 ipsec-isakmp set peer B match address 101 set trans bar crypto trans bar
crypto map foo 20 ipsec-isakmp set peer C match address 102 set trans bar access-list 101
permit ip 20.1.1.0 0.0.0.255 any access-list 102 permit ip 20.1.1.0 0.0.0.255 any
E. crypto map foo 10 ipsec-isakmp set peer B match address 101 set trans bar crypto map foo 10
Ipsec-isakmp set peer C match address 102 set trans bar access-list 101 permit ip 20.1.1.0
0.0.0.255 any access-list 102 permit ip 20.1.1.0 0.0.0.255 any
Answer: A
Question: 43.
The Unix file /etc/shadow is:
A. A place to store encrypted passwords without referencing the /etc/passwd file.
B. Referenced by login when the /etc/passwd file contains an asterisk in the third field.
C. Referenced by NIS when the /etc/passwd file contains a line with the first character of ‘+’.
D. A read-protected file referenced by login when the /etc/passwd file contains a special character
in the second field.
Answer: D
Page 18 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
Explanation:
One of these is the shadow password scheme, which is used by default. The encrypted password
is not kept in /etc/passwd, but rather in /etc/shadow. /etc/passwd has a placeholder, x, in this
field. passwd is readable by everyone, whereas shadow is readable only by root. The shadow file
also contains password aging controls. * or !! in the password field of /etc/shadow indicates that
the account is disabled.
Question: 44.
Exhibit:
In a reorganization, OSPF areas are realigned. What changes will you advice the Company
trainee technician to make to the network and/or router configurations to render this a valid
network design?
(Choose all that apply.)
A. The trainee should configure Router B as an Area Border Router between Area 60 and area 6.
B. The trainee should configure a virtual link between Area 60 and Area 0.
C. The trainee should install a serial line or other physical connection between devices in Area 60
and Area 0.
D. This design is not a valid, and no changes can make it work.
Answer: B, C
Question: 45.
Two remote LANs connected via a serial connection are exchanging routing updates via RIP. An
alternate path exists with a higher hop count. When the serial link fails, users complain of the time
it takes to transfer to the alternate path.What can be done to improve this?
A. Change the hop count on an alternate path to be the same cost.
B. Increase the bandwidth of the alternate serial connection.
C. Configure a static route via the alternate route with an appropriate administrative cost.
D. Reduce or disable the holdown timer using the timers basic command.
Answer: D
Question: 46.
Network Address Translation (NAT) may not work well:
A. With outbound HTTP when AAA authentication is involved.
B. When PAT (Port Address Translation) is used on the same firewall.
C. When used in conjunction with static IP addresses assignment to some devices.
D. With traffic that carries source and/or destination IP addresses in the application data stream.
E. With ESP Tunnel mode IPSec traffic.
Answer: D
Page 19 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
Explanation:
AH does not work with NAT
Question: 47.
Inside addresses = 131.108.0.0
Outside global addresses = 198.108.10.0
Serial 0 is connected to the outside world
Given the information above, what Network Address Translation (NAT) configuration is correct?
A. ip nat pool CCIE-198 198.108.10.0 198.108.10.255 prefex-length 24. ip nat inside source list 1
pol CCIE-198 interface serial 0 ip address 131.108.1.1 255.255.255.0 ip nat outside interface
Ethernet0 ip address 198.108.10.1 255.255.255.0 ip nat inside access-list 1 permit 131.108.0.0
0.0.255.255
B. ip nat pool CCIE-198 198.108.10.0 198.108.10.255 prefix-length 24 ip nat inside source list 1
pool CCIE-198 interface serial 0 ip address 198.108.10.1 255.255.255.0 ip nat outside
interface Ethernet0 ip address 131.108.1.1 255.255.255.0 ip nat inside access-list 1 permit
131.108.0 0.0.255.255
C. ip nat pool CCIE-198 198.108.10.0 198.108.10.255 prefix-length 24. ip nat inside source list 1
pool CCIE-198 interface serial 0 ip address 198.108.10.1 255.255.255.0 ip nat outside
interface Ethernet0 ip address 131.108.1.1 255.255.255.0 ip nat inside access-list 1 permit
198.108.10.0 0.0.0.255
D. ip nat pool CCIE-131 131.108.1.0 131.108.1.255 prefix-length 24. ip nat inside source list 1
pool CCIE-131 interface serial 0 ip address 198.108.10.1 255.255.255.0 ip nat inside interface
Ethernet0 ip address 131.108.1.1 255.255.255.0 ip nat outside access-list 1 permit
198.108.10.0 0.0.0.255
Answer: B
Explanation:
ip nat inside source list 1 pool CCIE-198 calls access list 1 to state which ip address are to be
nated
Question: 48.
PFS (Perfect Forward Security) requires:
A. Another Diffie-Hellman exchange when an SA has expired
B. Triple DES
C. AH
D. ESP
E. A discrete client
Answer: A
Explanation:
crypto map mymap 10 set pfs group2 This example specifies that PFS should be used whenever
a new security association is negotiated for the crypto map "mymap 10." The 1024-bit Diffie-
Hellman prime modulus group will be used when a new security association is negotiated using
the Diffie-Hellman exchange.
Question: 49.
What service SHOULD be enabled on ISO firewall devices?
A. SNMP with community string public.
Page 20 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
B. TCP small services.
C. UDP small services.
D. Password-encryption.
E. CDP
Answer: D
Explanation:
To encrypt passwords, use the SERVICE password-encryption global configuration command
The answer of TCP small-serivces and UDP are TCP and UDP small-servers
Question: 50.
Which of the following statements regarding SNMP v1 community strings is valid?
A. SNMP v1 community strings are encrypted across the wire.
B. SNMP v1 community strings can be used to gain unauthorized access into a device if the read-
write string is known.
C. SNMP v1 community strings are always the same for reading & writing data.
D. SNMP v1 community strings are used to define the community of devices in a single VLAN.
Answer: B
Explanation:
SNMP is also capable changing the configurations on the host, allowing the remote management
of the network device.
Question: 51.
Under normal circumstances, after a single IPSec tunnel has been established, how many IPSec
security associations should be active on the system?
A. One per protocol (ESP and AH)
B. Two per protocol (ESP and AH)
C. Three per protocol (ESP and AH)
D. Four per protocol (ESP and AH)
E. Five total (either ESP or AH)
Answer: B
Explanation:
Once established, the set of security associations (outbound, to the remote peer) is then applied
to the triggering packet as well as to subsequent applicable packets as those packets exit the PIX
Firewall.
"Applicable" packets are packets that match the same access list criteria that the original packet
matched. For example, all applicable packets could be encrypted before being forwarded to the
remote peer. The corresponding inbound security associations are used when processing the
incoming traffic from that peer. If IKE is used to establish the security associations, the security
associations will have lifetimes so that they will periodically expire and require renegotiation. (This
provides an additional level of security.) Multiple IPSec tunnels can exist between two peers to
secure different data streams, with each tunnel using a separate set of security associations. For
example, some data streams might be just authenticated while other data streams must be both
encrypted and authenticated. You can change the global lifetime values that are used when
negotiating new IPSec security associations. (These global lifetime values can be overridden for
a particular crypto map entry.) These lifetimes only apply to security associations established via
IKE.
Page 21 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
Manually established security associations do not expire. There are two lifetimes: a "timed"
lifetime and a "traffic-volume" lifetime. A security association expires after the respective lifetime
is reached and negotiations will be initiated for a new one.
Question: 52.
Which of the following does NOT qualify to be an example of a supported ISAKMP keying
mechanism?
A. Pre-shared
B. Perfect Forward Secrecy
C. RSA
D. Certificate authority
Answer: B
Explanation:
The three main mechanisms of devices authentication are - Preshared keys, Digital signatures,
encrypted nonces CCIE Professional Development Networks Security Principles and Practices by
Saadat Malik pg 306 The two entities must agree on a common authentication protocol through a
negotiation process using either RSA signatures, RSA encrypted nonces, or pre-shared keys. To
specify that IPSec should ask for perfect forward secrecy (PFS) when requesting new security
associations for this crypto map entry, or that IPSec requires PFS when receiving requests for
new security associations
Question: 53.
Exhibit:
10.1.1.0/24 through OSPF
10.1.0.0/16 through EIGRP
10.1.0.0&16 static
If a router had the three routers listed, which one of the routers would forward a packet destined
for 10.1.1.1?
A. 10.1.0.0/16 though EIGRP, because EIGRP routes are always preferred over OSPF or static
routes.
B. 10.1.0.0/16 static, because static routes are always preferred over OSPF or EIGRP routes.
C. 10.1.1.0/24 through OSPF because the route with the longest prefix is always chosen.
D. Whichever route appears in the routing table first.
E. The router will load share between the 10.1.0.0/16 route through EIGRP and the 10.1.0.0/16
static route.
Answer: C
Explanation:
This is a tricky question. If you look at the AD the 0/1 for static/default routes would be chosen
first then (90) EIGRP then (110) OSPF So pick your option. I think it is OSPF because all static
and default routes would be the chosen route.
Question: 54.
Describe the correct authentication sequence for the IOS Firewall Authentication Proxy:
A. The user authenticates by FTP, and route maps are downloaded from the proxy server.
B. The user authenticates locally to the router.
C. The user authenticates by Telnet, and access lists are downloaded from the AAA server.
Page 22 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
D. The user authenticates by HTTP, or Telnet, and access lists are downloaded from the AAA
server.
E. The user authenticates by HTTP, and access lists are downloaded from the AAA server.
Answer: E
Explanation:
When a user initiates an HTTP session through the firewall, the authentication proxy is triggered
Question: 55.
Exhibit:
Host A is attempting to send a packet through Router B to Host D as illustrated above. There are
neither routing protocols configured nor are there any static routes for router B or C. However,
Router B does have a default-gateway configured to the IP address of Router C using the
configuration ip default-gateway 10.1.2.2.
Will Host A’s packet reach Host D?
A. Yes, the packets will reach Host D if the routers are configured to bridge.
B. Yes, the packets will reach Host D because Router B will forward the packets destined to
10.1.3.0/24 to Router C through its IP default-gateway configuration.
C. Yes, the packets will reach Host D, but Host D will not be able to communicate back to Host A,
so the session will fail.
D. This will work if CDP is enabled on the routers.
E. Routers only route packets to routes in the routing table, not their IP default-gateway so Host
A’s packets will never reach Router C or Host D.
Answer: E
Explanation:
By disabling routing in router, router no longer forwards packets that it received.By configuring IP
default gateway, router only send packets it creates itself.
Question: 56.
The purpose of Administrative Distance, as used by Cisco routers, is:
A. To choose between routes from different routing protocols when receiving updates for the
same network.
B. To identify which routing protocol forwarded the update.
C. To define the distance to the destination used in deciding the best path.
D. To be used only for administrative purposes.
Answer: A
Explanation:
Page 23 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
Administrative distance is the feature used by routers to select the best path when there are two
or more different routes to the same destination from two different routing protocols.
Administrative distance defines the reliability of a routing protocol. Each routing protocol is
prioritized in order of most to least reliable (believable) using an administrative distance value.
Question: 57.
- User_A and User_B are both members of the global group “DOMAIN USERS”.
- Global group “DOMAIN USERS” is included in local group “USERS”.
- All users and groups are in the domain “CORP”.
- The directory D:data has the share permission for local group “USERS” set to “Read”.
- The Microsoft Word document D:dataword.doc has file permissions for local group “USERS”
set to “Full Control”.
- The Microsoft Word document D:dataword.doc is owned by User_B.
Given this scenario on a Windows NT 4.0 network, what is the expected behavior when User_A
attempts to edit D:dataword.doc?
A. User_A has full control and can edit the document successfully.
B. There is not enough information. Permissions for Microsoft Word are set within the application
and are not subject to file and share level permissions.
C. Access would be denied.
Only the owner of a file can edit a document.
D. Global groups can not be placed into local groups.
The situation could not exist.
E. Edit access would be denied.The “Read” permission is least permissive so it would apply in
this situation.
Answer: A
Question: 58.
A network manager issues an RCP (Remote Copy) when copying a configuration from a router to
a Unix system. What file on the Unix system would need to be modified to allow the copying to
occur?
A. rcmd
B. rcmd.allow
C. allow.rcmd
D. hosts.allow
E. .rhosts
Answer: D
Explanation:
NOT SURE OF THIS ANSWER I AM SAYING .RHOSTS The $HOME/.rhosts file defines which
remote hosts (computers on a network) can invoke certain commands on the local host without
supplying a password. This file is a hidden file in the local user's home directory and must be
owned by the local user
Question: 59.
In the context of intrusion detection, what is the definition of exploit signatures?
A. Policies that prevent hackers from your network.
B. Security weak points in your network that can be exploited by intruders.
C. Identifiable patterns of attack detected on your network.
D. Digital graffiti from malicious users.
Page 24 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
E. Certificates that authenticate authorized users.
Answer: C
Question: 60.
The network administrator has forgotten the enable password of the router. Luckily, no one is
currently logged into the router, but all passwords on the router are encrypted.
What should the administrator do to recover the enable secret password?
A. Call the Cisco Technical Assistance Center (TAC) for a specific code that will erase the
existing password.
B. Reboot the router, press the BREAK key during boot up, boot the router into ROM Monitor
mode to either erase or replace the existing password, and reboot the router as usual.
C. Reboot the router, press the BREAK key during boot up, and boot the router into ROM Monitor
mode to erase the configuration, and re-install the entire configuration as it was saved on a
TFTP server.
D. Erase the configuration, boot the router into ROM Monitor mode, press the BREAK key, and
overwrite the previous enable password with a new one.
Answer: C
Explanation:
The other possible answer is not correct in my view as you still need to put the config back onto
the router after rommon mode (normally in nvram but TFTP is a valid storage place as well)
Question: 61.
According to RFC 1700, what well-known ports are used for DNS?
A. TCP and UDP 23.
B. UDP 53 only.
C. TCP and UDP 53.
D. UDP and TCP 69.
Answer: C
Explanation:
Type Application layer name space translation protocol. Port 53 (TCP, UDP) server.
Question: 62.
The purpose of Lock & Key is:
A. To secure the console port of the router so that even users with physical access to the router
cannot gain access without entering the proper sequence.
B. To allow a user to Telnet to the router and have temporary access lists applied after issuance
of the access-enable command.
C. To require additional authentication for traffic travelling through the PIX for TTAP compliance.
D. To prevent users from getting into enable mode.
Answer: B
Explanation:
Lock-and-key access allows you to set up dynamic access lists that grant access per user to a
specific source/destination host through a user authentication process. You can allow user
access through a firewall dynamically, without compromising security restrictions. The following
process describes the lock-andkey access operation A user opens a Telnet session to a border
Page 25 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
router configured for lock-and-key access. The Cisco IOS software receives the Telnet packet
and performs a user authentication process. The user must pass authentication before access is
allowed. The authentication process can be done by the router or a central access server such as
a TACACS+ or RADIUS server.
Question: 63.
Besides Kerberos port traffic, what additional service does the router and the Kerberos server
use in implementing Kerberos authentication on the router?
A. TCP
B. Telnet
C. DNS
D. FTP
E. ICMP
F. None of the above.
Answer: C
Explanation:
They will need to use DNS unless the router is hard coded with the IP address of the server.
Note:
Kerberos authentication requires that NTP is enabled. Additionally, we recommend that you
enable DNS.
Not B:
The question is: What ADDITIONAL service does the router and the Kerberos server use. They
do not USE the TELNET service during authentication.
Question: 64.
Identify the default port(s) used for web-based SSL (Secure Socket Layer) Communication:
A. TCP and UDP 1025.
B. TCP 80.
C. TCP and UDP 443.
D. TCP and UDP 1353.
Answer: C
Explanation:
Secure Sockets Layer (SSL) is an application-level protocol that enables secure transactions of
data through privacy, authentication, and data integrity. It relies upon certificates, public keys, and
private keys. Use 443 (generally used for SSL transactions) as the SSL TCP service port and 443
as the clear text port. Configure the server to not use SSL and to monitor port 443. TCP service
port 80 requests are serviced normally. Use 443 as the SSL TCP service port and 81 (or another
unused port) for the clear text port. Configure the server to monitor port 81. TCP service port 80
requests are serviced normally.
Question: 65.
In the TACACS+ protocol, the sequence number is: (Multiple answer)
A. An identical number contained in every packet.
B. A number that must start with 1 (for the fist packet in the session) and increment each time a
request or response is sent.
C. Always an odd number when sent by the client.
Page 26 of 272

Exam Name: CCIE Pre-Qualification Test for Security
Exam Type: Cisco
Exam Code: 350-018 Total Questions: 803
D. Always an even number when sent by the client and odd when sent by the daemon.
Answer: B, C
Explanation:
Seq_no - The sequence number of the current packet for the current session. The first TACACS+
packet is a session must have the sequence number 1, and each subsequent packet increments
the sequence number by 1. Thus, clients (such as the NAS) send only packets containing odd
sequence numbers, and TACACS+ daemons send only packets containing even sequence
numbers. The sequence number mst never wrap. In other words, if the sequence number 2^8-1
is ever reached, that session must terminate and be restarted with a sequence number of 1.
CCIE Professional Development Network Security Principles and Pratices by Saadat Malik pg
496.
Question: 66.
The Company network administrator is troubleshooting a problem with FTP services. What will
the administrator encounter if a device blocks the data connection?
A. The administrator will experience very slow connect times.
B. Incomplete execution, when issuing commands like “pwd” or “cd”.
C. User login problems will occur.
D. Failure when listing a directory.
E. No problems at all.
Answer: D
Explanation:
Below is a capation from a cert advisory about FTP. FTP can have problems when the data
channel is blocked. In FTP PASV mode, the client makes a control connection to the FTP server
(typically port 21/tcp) and requests a PASV data connection. The server responds by listening for
client connections on a specified port number, which is supplied to the client via the control
connection An active open is done by the server, from its port 20 to the same port on the client
machine as was used for the control connection. The client does a passive open. For better or
worse, most current FTP clients do not behave that way.
Question: 67.
What return status will cause a AAA statement to look to next defined method for authentication?
A. Fail
B. Error
C. Access-reject
D. All of the above
Answer: B
Explanation:
The additional methods of authentication are used only if the previous method returns an
error,not if it fails. To specify that the authentication succeed even if all methods return an
error,specify none as the final method in the command line.
Question: 68.
Global deployment of RFC 2827 (ingress and egress filtering) would help mitigate what
classification of attack?
A. Sniffing attack
Page 27 of 272